---

mperata wrote:

I use ESET NOD 32 for my virus/firewall protection.

 

I have been receiving DNS Cache Poisoning Attacks on the Comcast DNS server IP addresses 75.75.75.75:54 and 75.75.76.76:53. The attacks are hitting any number of different ports on my NAT networked computer.

 

I thought Comcast had corrected these attacks. Any assistance available.    

---

Huh? Are you running a local DNS resolver? 

No, I am not running a DNS Resolver and I am sorry I confused you.

Beyond your modem I have a CISCO Linksys E2500 with the router pointing to your DNS Servers 75.75.75.75 & 75.75.76.76.

As I mentioned in the first post I am using ESET Smart Security (not NOD32) v 5.0.95.0

Here is the log from the ESET firewall

4/3/2012 12:10:01 PM    Detected DNS cache poisoning attack    75.75.76.76:53    192.168.1.131:53974    UDP            
4/3/2012 12:10:01 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:53974    UDP            
4/2/2012 10:24:18 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:60743    UDP            
3/31/2012 10:55:14 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:52522    UDP            
3/30/2012 11:48:38 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:52566    UDP            
3/29/2012 11:46:12 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:54610    UDP            
3/29/2012 12:45:53 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:65208    UDP            
3/26/2012 11:29:53 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:59161    UDP            
3/26/2012 9:43:08 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:59141    UDP            
3/20/2012 7:05:44 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:62422    UDP            
3/20/2012 5:27:21 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:64732    UDP            
3/20/2012 1:25:10 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:49343    UDP            
3/16/2012 2:12:08 PM    Detected DNS cache poisoning attack    75.75.76.76:53    192.168.1.131:57019    UDP            
3/10/2012 11:07:16 AM    Detected DNS cache poisoning attack    75.75.76.76:53    192.168.1.131:63607    UDP            
3/10/2012 10:57:19 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:56803    UDP            
3/3/2012 9:40:28 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:49402    UDP            
3/3/2012 8:59:36 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:61351    UDP            
3/2/2012 6:54:46 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:51895    UDP            
3/2/2012 1:58:16 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:51474    UDP            
2/27/2012 7:37:37 PM    Detected DNS cache poisoning attack    75.75.76.76:53    192.168.1.131:64964    UDP            
2/23/2012 9:11:14 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:62212    UDP            
2/23/2012 8:59:29 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:65053    UDP            
2/23/2012 8:12:09 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:58957    UDP            
2/20/2012 5:57:59 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:59005    UDP            
2/18/2012 2:47:19 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:62848    UDP            
2/17/2012 8:53:21 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:61249    UDP            
2/17/2012 7:46:06 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:58197    UDP            
2/1/2012 9:59:31 PM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:53081    UDP            
2/1/2012 10:23:48 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:54866    UDP            
1/28/2012 9:45:01 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:62042    UDP            
1/20/2012 9:37:03 AM    Detected DNS cache poisoning attack    75.75.75.75:53    192.168.1.131:60604    UDP           

---

mperata wrote:

No, I am not running a DNS Resolver and I am sorry I confused you.

 

Beyond your modem I have a CISCO Linksys E2500 with the router pointing to your DNS Servers 75.75.75.75 & 75.75.76.76.

 

As I mentioned in the first post I am using ESET Smart Security (not NOD32) v 5.0.95.0

 

Here is the log from the ESET firewall

 

---

I'd recommend you contact ESET to ask how exactly the detect cache poisoning attacks on our servers without running their software ON our servers. I'm not sure how that is technically possible.  Sounds to me like some kind of false positive, perhaps due to the fact that we're using DNSSEC and some domains you lookup are not signed - but only they'd know. Happy to have our DNS guys talk to ESET if you have a contact as well.

I'm not trying to be adversarial or snide, but doesn't Comcast "poison" DNS resolution? I'm aware that posioning is a slangish term but what comcast does with packetsniffing and (used to do with) DNS redirects is symptomatically identical to DNS poisoning, and as Comcast doesn't feel that it is nessasary to outline what exactly it does, we are left to only guess.  Decuction and reasoning says that basically Anti-virus software would correctly detect DNs posioning and I am a bit surprised that no one I have seen has said that this behavior is to be expected.

With the deployment of DNSSEC validating recursive resolvers on our network, we are no longer using Domain Helper. We disclose our network management practices on http://networkmanagement.comcast.net, and you will see the first post refers to Domain Helper being deactivated. If you would like to learn more about our DNSSEC deployment, please go to http://www.dnssec.comcast.net.

Regards,

Chris

And even when Comcast had their Domain Helper, I wouldn't call it poisoning. Poisoning is bad when it substitutes the perpetrator's IP for the target domain's IP; when you tried to go to one server, you would be redirected to another. But Domain Helper only kicked in when the name doesn't have an IP to begin with, so you only got redirected to Comcast's server when you would have gotten a failure.

I, too, use ESET Smart Security and have been getting the same message about DNS cache poisoning attack from same IPs. Just fyi. This started on 4-30-12 and again on 5-3-12.

Jannie

---

Uconnmom wrote:

I, too, use ESET Smart Security and have been getting the same message about DNS cache poisoning attack from same IPs. Just fyi. This started on 4-30-12 and again on 5-3-12.

 

Jannie

---

Please go here: http://dns-ok.us/

Is the backgound red of green?

LoPhatPhuud wrote:

---

Uconnmom wrote:

I, too, use ESET Smart Security and have been getting the same message about DNS cache poisoning attack from same IPs. Just fyi. This started on 4-30-12 and again on 5-3-12.

 

Jannie

---

Please go here: http://dns-ok.us/

 

Is the backgound red of green?

---

It is green. Thanks.

I too am using ESET Smart Security, though it is 5.2.9.1 version and get the same IPs giving ESET triggering DNS attack blocking. I have a Cisco E4200 router so I can use my tablet, which uses Android and Kaspersky and does not register attacks, but does not check tradiitonally for DNS poisoning either.

These attacks are sporadic and appeared to be access-determined, if I try to go to one site too often I get ESET triggering, same site infrequently accessed gets no poisoning report. I have gotten attacks across 3-4 subversions of ESET Smart Security. I have used computers since 1968, and will check with ESET tech support about the DNS Attack triggering.

BTW, Cisco E series uses a Linux derivative internally to router, if that triggers any memory  I have no way to malware scan the router, but suspect strongly that if router was infected it would have much more of networking issues. Router has run two versions of firmware and ESET has triggered on DNS attack reporting diuring the both versions usage. I got the E4200 becasue it was on Comcast's recommended list for small business and thus more secureable than a home-grade router, NOT because I have a business (no business here).

Mom is Comcast account holder, I am the one with computer knowledge and handle internet setup and admin here.